Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 24 Jan 2013 12:15:07 +0100
From: Frank Dittrich <frank_dittrich@...mail.com>
To: john-dev@...ts.openwall.com
Subject: PDF format incompatibility (jumbo-7 vs. jumbo-8)

I prepared 2 test files, obne freom the jumbo-7 pdf tst cases, one from
the jumbo-8 test cases (both attached).

I also built a john binary based on the jumbo-7 version (john-j7) and
one based on latest git (john-j8).

Tests start with an empty john.pot.

$ ./john-j7 pdf-test7
Loaded 4 password hashes with 4 different salts (PDF MD5 RC4 [32/64])
WHATwhatWHERE?   (WHATwhatWHERE?)
July2099         (July2099)
38r285a9         (38r285a9)
test             (test)
guesses: 4  time: 0:00:00:00 DONE (Thu Jan 24 11:57:46 2013)  c/s: 21.05
 trying: test
Use the "--show" option to display all of the cracked passwords reliably

$ ./john-j8 -show pdf-test7
test:test
July2099:July2099
WHATwhatWHERE?:WHATwhatWHERE?
38r285a9:38r285a9

4 password hashes cracked, 0 left

$ ./john-j8 --format=pdf -show pdf-test7
test:test
July2099:July2099
WHATwhatWHERE?:WHATwhatWHERE?
38r285a9:38r285a9

4 password hashes cracked, 0 left

$ ./john-j8 --format=pdf pdf-test7
Loaded 4 password hashes with 4 different salts (PDF MD5 SHA-2 RC4 / AES
[32/64])
No password hashes left to crack (see FAQ)


$ rm john.pot
$ ./john-j8 --format=pdf pdf-test7
Loaded 4 password hashes with 4 different salts (PDF MD5 SHA-2 RC4 / AES
[32/64])
guesses: 0  time: 0:00:00:00 21.44% (1) (ETA: Thu Jan 24 12:00:38 2013)
 c/s: 1626  trying: 38R285A97
guesses: 0  time: 0:00:00:01 54.25% (1) (ETA: Thu Jan 24 12:00:39 2013)
 c/s: 1815  trying: 38r285a993
guesses: 0  time: 0:00:00:03 74.30% (1) (ETA: Thu Jan 24 12:00:41 2013)
 c/s: 1818  trying: 38r285a941
guesses: 0  time: 0:00:00:04 98.33% (1) (ETA: Thu Jan 24 12:00:41 2013)
 c/s: 1877  trying: 38r285a91918
guesses: 0  time: 0:00:00:05 0.10% (2) (ETA: Thu Jan 24 13:23:58 2013)
c/s: 1426  trying: stephen
guesses: 0  time: 0:00:00:07 0.16% (2) (ETA: Thu Jan 24 13:13:32 2013)
c/s: 1296  trying: flamingo
guesses: 0  time: 0:00:00:08 0.22% (2) (ETA: Thu Jan 24 13:01:13 2013)
c/s: 1200  trying: boston
guesses: 0  time: 0:00:00:09 0.29% (2) (ETA: Thu Jan 24 12:52:20 2013)
c/s: 1125  trying: moroni
guesses: 0  time: 0:00:00:09 0.35% (2) (ETA: Thu Jan 24 12:43:29 2013)
c/s: 1066  trying: anita
guesses: 0  time: 0:00:00:13 0.58% (2) (ETA: Thu Jan 24 12:37:59 2013)
c/s: 897  trying: andrew1
Session aborted

Apparently, pfd format considered these hashes as valid, but missed to
crack them using single mode.

Now, let's use jumbo-7 again to insert these into the pot file:

$ ./john-j7 --format=pdf pdf-test7
Loaded 4 password hashes with 4 different salts (PDF MD5 RC4 [32/64])
WHATwhatWHERE?   (WHATwhatWHERE?)
July2099         (July2099)
38r285a9         (38r285a9)
test             (test)
guesses: 4  time: 0:00:00:00 DONE (Thu Jan 24 12:02:16 2013)  c/s: 20.00
 trying: test
Use the "--show" option to display all of the cracked passwords reliably

$ ./john-j8 --show pdf-test8
0 password hashes cracked, 5 left
$ ./john-j8 pdf-test8
Loaded 5 password hashes with 5 different salts (PDF MD5 SHA-2 RC4 / AES
[32/64])
openwall         (openwall)
testpassword     (testpassword)
openwall         (openwall)
testpassword     (testpassword)
test             (test)
guesses: 5  time: 0:00:00:00 DONE (Thu Jan 24 12:04:05 2013)  c/s: 22.72
 trying: test
Use the "--show" option to display all of the cracked passwords reliably

$ grep 289ece9b5ce451a5d7064693dab3badf101112131415161718191a1b1c1d1e1f
john.pot
$pdf$Standard*badad1e86442699427116d3e5d5271bc80a27814fc5e80f815efeef839354c5f*289ece9b5ce451a5d7064693dab3badf101112131415161718191a1b1c1d1e1f*16*34b1b6e593787af681a9b63fa8bf563b*1*1*0*1*4*128*-4*3*2:test
$pdf$2*3*128*-4*1*16*34b1b6e593787af681a9b63fa8bf563b*32*289ece9b5ce451a5d7064693dab3badf101112131415161718191a1b1c1d1e1f*32*badad1e86442699427116d3e5d5271bc80a27814fc5e80f815efeef839354c5f:test

$ grep 34b1b6e593787af681a9b63fa8bf563b john.pot
$pdf$Standard*badad1e86442699427116d3e5d5271bc80a27814fc5e80f815efeef839354c5f*289ece9b5ce451a5d7064693dab3badf101112131415161718191a1b1c1d1e1f*16*34b1b6e593787af681a9b63fa8bf563b*1*1*0*1*4*128*-4*3*2:test
$pdf$2*3*128*-4*1*16*34b1b6e593787af681a9b63fa8bf563b*32*289ece9b5ce451a5d7064693dab3badf101112131415161718191a1b1c1d1e1f*32*badad1e86442699427116d3e5d5271bc80a27814fc5e80f815efeef839354c5f:test

$ grep badad1e86442699427116d3e5d5271bc80a27814fc5e80f815efeef839354c5f
john.pot
$pdf$Standard*badad1e86442699427116d3e5d5271bc80a27814fc5e80f815efeef839354c5f*289ece9b5ce451a5d7064693dab3badf101112131415161718191a1b1c1d1e1f*16*34b1b6e593787af681a9b63fa8bf563b*1*1*0*1*4*128*-4*3*2:test
$pdf$2*3*128*-4*1*16*34b1b6e593787af681a9b63fa8bf563b*32*289ece9b5ce451a5d7064693dab3badf101112131415161718191a1b1c1d1e1f*32*badad1e86442699427116d3e5d5271bc80a27814fc5e80f815efeef839354c5f:test


Jumbo-8 doesn't recognize the hashes which were stored in john.pot by
jumbo-7.
IMHO, jumbo-8 needs a prepare() function which converts the
$pdf$Standard* hashes into the format expected by the jumbo-8 valid().

Furthermore, the jumbo-8 valid() needs to be improved.
I.e., without a prepare() which converts the jumbo-7 hashes, the jumbo-8
version should have rejected them as invalid.
(After s/:$pdf$Standard/:$pdf$St/, jumbo-8 still treats the hashes as
valid, but it shouldn't.)

Frank

test:$pdf$Standard*badad1e86442699427116d3e5d5271bc80a27814fc5e80f815efeef839354c5f*289ece9b5ce451a5d7064693dab3badf101112131415161718191a1b1c1d1e1f*16*34b1b6e593787af681a9b63fa8bf563b*1*1*0*1*4*128*-4*3*2
July2099:$pdf$Standard*d83a8ab680f144dfb2ff2334c206a6060779e007701ab881767f961aecda7984*a5ed4de7e078cb75dfdcd63e8da7a25800000000000000000000000000000000*16*06a7f710cf8dfafbd394540d40984ae2*1*1*0*1*4*128*-1028*3*2
WHATwhatWHERE?:$pdf$Standard*2446dd5ed2e18b3ce1ac9b56733226018e3f5c2639051eb1c9b2b215b30bc820*fa3af175d761963c8449ee7015b7770800000000000000000000000000000000*16*12a4da1abe6b7a1ceb84610bad87236d*1*1*0*1*4*128*-1028*3*2
38r285a9:$pdf$Standard*6a80a547b8b8b7636fcc5b322f1c63ce4b670c9b01f2aace09e48d85e1f19f83*e64eb62fc46be66e33571d50a29b464100000000000000000000000000000000*16*14a8c53ffa4a79b3ed9421ef15618420*1*1*0*1*4*128*-1028*3*2

openwall:$pdf$4*4*128*-1028*1*16*e03460febe17a048b0adc7f7631bcc56*32*3456205208ad52066d5604018d498a6400000000000000000000000000000000*32*6d598152b22f8fa8085b19a866dce1317f645788a065a74831588a739a579ac4
test:$pdf$2*3*128*-4*1*16*34b1b6e593787af681a9b63fa8bf563b*32*289ece9b5ce451a5d7064693dab3badf101112131415161718191a1b1c1d1e1f*32*badad1e86442699427116d3e5d5271bc80a27814fc5e80f815efeef839354c5f
testpassword:$pdf$4*4*128*-1028*1*16*c015cff8dbf99345ac91c84a45667784*32*0231a4c9cae29b53892874e168cfae9600000000000000000000000000000000*32*137ad7063db5114a66ce1900d47e5cab9c5d7053487d92ac978f54db86eca393
testpassword:$pdf$5*6*256*-1028*1*16*05e5abeb21ad2e47adac1c2b2c7b7a31*127*51d3a6a09a675503383e5bc0b53da77ec5d5ea1d1998fb94e00a02a1c2e49313c177905272a4e8e68b382254ec8ed74800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000*127*dc38f01ef129aae2fca847396465ed518f9c7cf4f2c8cb4399a849d0fe9110227739ab88ddc9a6cf388ae11941270af500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000*32*b8e137baf316e0789ffa73f888d26495c14d31f2cfff3799e339e2fa078649f5*32*835a9e07461992791914c3d62d37493e07d140937529ab43e26ac2a657152c3c
openwall:$pdf$5*5*256*-1028*1*16*762896ef582ca042a15f380c63ab9f2c*127*8713e2afdb65df1d3801f77a4c4da4905c49495e7103afc2deb06d9fba7949a565143288823871270d9d882075a75da600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000*127*15d0b992974ff80529e4b616b8c4c79d787705b6c8a9e0f85446498ae2432e0027d8406b57f78b60b11341a0757d7c4a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000*32*a7a0f3891b469ba7261ce04752dad9c6de0db9c4155c4180e721938a7d9666c7*32*2fa9a0c52badebae2c19dfa7b0005a9cfc909b92babbe7db66a794e96a9f91e3

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ